Flash Zero-Day Using Dailymotion.com for Malvertising

Yet another zero-day exploit for Adobe Flash Player has emerged in the wild, thanks to a critical vulnerability that allows drive-by-download attacks. A malvertising-based attack based on the exploit is now spiking in the US.

The flaw (CVE-2015-0313) exists in Adobe Flash Player and earlier versions for Windows and Mac, and affects systems running Internet Explorer and Firefox on Windows 8.1 and below. Adobe said that exploits can cause the system to crash and potentially allow an attacker to take control.

According to Trend Micro, visitors of the popular site dailymotion.com are being redirected to a series of sites that eventually lead to the URL hxxp://www.retilio.com/skillt.swf, where the exploit itself is hosted. Since advertisements are designed to load once a user visits a site, the infection happens automatically.

“Our initial analysis suggests that this might have been executed through the use of the Angler Exploit Kit, due to similarities in obfuscation techniques and infection chains,” the firm explained. It added, “It is likely that this was not limited to the Dailymotion website alone, since the infection was triggered from the advertising platform and not the website content itself.”

Trend Micro said that the attack dates back to at least January 14. However, attacks “took a turn for the worse” starting on January 27, with a spike in hits to the affected site.

Adobe said that it’s actively working on a patch, and expects to release an update for Flash Player this week.

It’s the third zero-day for Flash in January alone, and it’s remarkably similar to the previous flaw, which affects any version of Internet Explorer or Mozilla Firefox with any version of Windows. Again, the Angler exploit kit was found to be exploiting the issue in the wild, and was using it in a malvertising attack. In that case, Angler was dropping the trojan downloader Bedep—which in turn is being used for two main purposes: hijacking PCs for ad fraud (an infected PC becomes a zombie in a botnet that generates fake clicks on ads for pay-per-click revenue) and for downloading ransomware like CryptoLocker. 

What’s Hot on Infosecurity Magazine?